Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning Objectives • After reading this chapter and completing the exercises, you will be able to: – Describe port scanning and types of port scans – Describe port-scanning tools – Explain what ping sweeps are used for – Explain how shell scripting is used to automate security tasks Introduction to Port Scanning • What is a Port? – A logical address in which a computer accepts application specific communications • What is Port Scanning? – The enumeration of ports that a target system self identifies as open and responsive for communications • What are the Risks Associated with Open / Unused Ports – Any port the system is listening to can be used to OS fingerprint or potentially exploit the system. – Always scan all valid port ranges, not just well-known ranges • What are the Legitimate Uses for Port Scanning? – To identify and verify security configurations Port Scanning programs report: – Open ports – Closed ports – Filtered ports – Best-guess running OS Types of Port Scans – SYN scan ( Stealthy scan ) – Connect scan (Completes three-way handshake ) – NULL scan (Packet flags are turned off ) – XMAS scan ( FIN, PSH and URG flags are set ) – ACK scan ( Used to get past firewall ) – FIN scan ( Closed port responds with an RST packet ) – UDP scan ( Closed port responds with ICMP “Port Unreachable” message ) Using Port-Scanning Tools • Port-scanning tools – Hundreds available
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning • Many are Open Source or Free – Not all are accurate • Be familiar with a variety • Practice often – Many CLI or GUI options to potentially learn before you become competent – Choose and stick with one for best results • Example tools include: – Nmap – Unicornscan – Nessus and OpenVAS Unicornscan • Developed to assist with large network tests – Ideal for large-scale endeavors – Scans 65,535 ports in three to seven seconds • Handles port scanning using: – TCP – ICMP – IP • Optimizes UDP scanning • Open Source • Runs on several *nix variants Nessus and OpenVAS • Nessus – First released in 1998 – No longer under GPL license • Still available for download – Home edition is still available for free (limited capabilities) • Installed on your Attacker VM • OpenVAS – Open-source fork of Nessus – Performs complex queries while client interfaces with server – Capable of updating security check plug-ins • Security test programs (scripts) – Available in VM and Live CD versions • OpenVAS GUI Overview • Conducting Ping Sweeps • Purpose:
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning – Identify which IP addresses belong to active hosts • Ping a range of IP addresses • Problems: – Shut down computers cannot respond – Networks may be configured to block ICMP Echo Requests – Firewalls may filter out ICMP traffic FPing • Ping multiple IP addresses simultaneously • Accepts a range of IP addresses – Entered at a command prompt – File containing multiple IP addresses • Input file – Usually created with shell-scripting language Hping • Used to: – Perform ping sweeps – Bypass filtering devices • Allows users to inject modified IP packets • Powerful tool – All security testers must be familiar with tool – Supports many parameters including: • Spoofing source, setting raw mode, and fragmentation, support TCP, UDP Payloads (not just ICMP protocol) Crafting IP Packets • Packet components – Source IP address – Destination IP address – Flags • Helps obtain information about a service • Tools: – Hping – Fping
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning Understanding Scripting • Modify tools to better suit your needs • Customized scripts – Automates tasks – Time saving – Requires basic programming skills • PHP • Shell • Powershell • Visual Basic • C# • C++ • Etc… • Scripting Basics • Similar to DOS batch programming • Script or batch file – Text file – Contains multiple commands • Repetitive commands – Good candidate for scripting • Practice is the key Summary • Port scanning (i.e., service scanning) – Scanning a range of IP address – Determines running services • Port scan types – SYN – ACK – FIN • Port scanning tools – Nmap – Nessus – OpenVAS – Unicornscan • Ping sweeps – Determine which computers are “live”
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning • Scripts – Automate time-consuming tasks
Recommend
More recommend
